Mixed Reactions to Touch ID Security

By now you have likely heard the buzz about the iPhone 5S, particularly about its security feature, Touch ID. As CNN explained it, the phone has the ability to turn your fingerprint into a password.

It sounds like a great idea, and as my regular readers know, I applaud all efforts to improve security on any device—especially security introduced by Apple. Touch ID could be a boon to BYOD security. According to Trend Micro, upwards of 60 percent of smartphone users don’t lock their device with a password or PIN code. While iPhone 5S allows users to bypass Touch ID in favor of using a password, I think that many users will appreciate being able to lock their phone while not having to remember yet another password. That ease of use alone could increase the number of people who now lock their phones. And, as Adrian Kingsley-Hughes wrote in a ZDNet story:

IT admins are always worried about security (or at least they should be), and while the iPhone, like its Android counterparts, allows for remote wiping of devices, biometric protection takes iPhone security to the next level. No more having to worry that about someone watching over your shoulder when you enter your passcode because with the iPhone 5S passcodes will become a thing of the past.

Yet, many security experts aren’t sold on the security behind Touch ID. Dirk Sigurdson, director of engineering, Mobilisafe at Rapid7, told me in an email:

Assuming the iPhone fingerprint reader and matching algorithm do a good job of protecting against fake fingers, biometric authentication should overall improve the security of iOS devices. However, Apple has on a number of occasions released flawed versions of its passcode lock implementation which allows attackers to bypass lock screen protections. With the added complexity of biometric authentication, it’s likely that we’ll continue to see vulnerabilities related to these features. It will remain important for companies to monitor iOS vulnerabilities and to implement a method for updating devices when fixes are available.

Along that line, Joe Schumacher, security consultant at Neohapsis, a security consulting company, was quoted in eWeek:

Fingerprint biometrics is nice, but not a perfect solution, as fingerprints can be dirty or slightly changed to not be recognized. There have been proofs of concept about lifting fingerprints to make copies and unlocking biometric control, but that’s a dedicated attack and the typical user should not worry.